Data processing terms
Definitions
Unless otherwise provided in the Terms, the meaning of capitalized words is stated in Annex A to the Terms.
Terms
The Terms govern the processing and security of Company Personal Data.
Roles and data processing instructions
The Parties acknowledge and agree that:
- Alfred Jobs is a processor of Company Personal Data;
- the Company is a controller or processor, as applicable, of Company Personal Data;
- each Party will comply with the obligations applicable to it under the applicable law with respect to the processing of Company Personal Data.
If the Company is a processor, the Company warrants to Alfred Jobs that Company’s instructions and actions with respect to Company Personal Data, including its appointment of Alfred Jobs as another processor, have been authorized by the relevant controller.
By entering into the Terms, the Company instructs Alfred Jobs to process Company Personal Data only in accordance with applicable law: (a) to provide the Processor Services; (b) as further specified via Company’s use of the Processor Services; (c) as documented in the Agreement, including the Terms; and (d) as further documented in any other written instructions given by the Company and acknowledged by Alfred Jobs as constituting instructions for purposes of the Terms.
Duration of personal data processing
Processing of Company Personal Data shall be performed for the duration of the Agreement plus the period until the deletion of all Company Personal Data in accordance with the Terms.
Nature and purpose of personal data processing
Alfred Jobs shall process Company Personal Data through means of automated processing to provide the Company with the Processor Services.
Types of personal data
The Company Personal Data may include data collected by the Alfred System during the use of Alfred System, login data, identification data, user type data, user activity data, contact data, communication data and voice and image records.
Categories of data subjects
Company Personal Data will concern the following categories of data subjects:
- data subjects about whom Alfred Jobs collects personal data in its provision of Processor Services; and/or
- data subjects about whom personal data is transferred to Alfred Jobs in connection with Processor Services by, at the direction of, or on behalf of the Company.
Depending on the nature of the Processor Services, these data subjects may include (a) Company’s employees or other Company’s co-workers, (b) members of Company’s bodies; (c) Company’s clients.
Rights and obligations of the Parties
If any third person, particularly a data subject or supervisory authority, requests any Party to provide any information in relation to personal data processing under the Agreement or the Terms, or in this relation makes any claim or exercises any right against any Party, the Party undertakes to inform the other Party about such procedure without undue delay.
The Company is liable for fulfilling all obligations in relation to Company Personal Data processing, particularly for informing data subjects about Company Personal Data processing, obtaining consent with Company Personal Data processing if necessary, dealing with data subjects’ requests relating to the exercise of their rights (such as right to information, access, rectification, erasure, restriction of processing, right to data portability, right to object etc.). The Company is further liable for fulfilling all notification obligations towards any supervisory authority relating to Company Personal Data processing, especially for notifying the supervisory authority on any personal data breach.
The Company is solely responsible for reviewing the Terms and evaluating for itself whether the security measures, and Alfred Jobs’s commitments hereunder meet Company’s needs, including with respect to any security obligations of the Company under the applicable law
The Company acknowledges and agrees that (considering the state of the art, the costs of implementation and the nature, scope, context, purposes and differently probable and differently serious risks to individuals) the security measures implemented and maintained by Alfred Jobs as set out in the Terms provide a level of security appropriate to the risk in respect of the Company Personal Data.
For the duration of Company Personal Data processing, if Alfred Jobs receives any request from a data subject in relation to Company Personal Data, Alfred Jobs shall advise the data subject to submit its request to the Company and the Company will be responsible for responding to any such request.
For the purpose of the Company Personal Data protection Alfred Jobs undertakes, for the duration of processing Company Personal Data under the Terms, that it:
- shall take appropriate steps to ensure compliance with the security measures by its employees, contractors and suppliers to the extent applicable to their scope of performance, including ensuring that all persons authorized to process Company Personal Data have committed themselves to confidentiality or are under appropriate statutory obligation of confidentiality;
- shall implement and maintain technical and organizational measures to protect Company Personal Data against any personal data breach described in Annex B to the Terms;
- shall not engage another processor without prior authorization of the Company, except for cloud services providers ensuring data transfer between Parties, Alfred Jobs’s service staff and service partners, who shall provide the Company with support and maintenance services, Alfred Jobs’s software developers, and in case of engaging the above mentioned processors, Alfred Jobs shall ensure to obligate them to adhere to the Terms;
- in the scope appropriate to the nature of processing and available information, Alfred Jobs shall be supportive of the Company with ensuring appropriate technical and organizational measures to secure the personal data, notifying personal data breach to any supervisory authority or data subject, assessing data protection impact and with prior consultations with the supervisory authority;
- shall provide the Company with necessary information, which can be fairly demanded from Alfred Jobs, to fulfill the Company’s obligation to react to the data subject’s request to exercise its rights under the data protection legislation;
- shall delete, upon the termination of the provision of Processor Services, Company Personal Data, including all existing copies, unless the European Union or Member State law requires its storage;
- shall provide the Company with all information necessary to demonstrate Alfred Jobs’s compliance with the obligations stated in the Terms and allow for and contribute to audits, including inspections, conducted by the Company or another auditor mandated by the Company according to audit terms stipulated in Annex C to the Terms.
Final provisions
The Terms have been drawn up in English. All obligations of Alfred Jobs towards the Company related to the Terms shall be fulfilled in the English language.
Should any of the provisions hereof be or become invalid, void, ineffective or unenforceable, this fact shall not affect the rest of the Terms. The Parties agree to replace any such invalid, ineffective, void or unenforceable provisions of the Terms with a provision that is valid, effective, not considered void, enforceable and with the same business and legal meaning within 14 (fourteen) days of receiving a request from the other Party.
In the event of changes to the applicable law or changes to the interpretation rules or practices for interpretation of the applicable law, Alfred Jobs may amend the Terms within a reasonable scope. The amendment of the Terms shall be reported by Alfred Jobs on its website and by e-mail to the last known e-mail address of the Company used for the communication with Alfred Jobs. Unless rejected by the Company within 1 (one) month since sending the notification to the Company, the Company is deemed to have adopted the amended Terms. Should the Company reject the amended Terms within the aforementioned period, this fact shall constitute the termination of the Terms with a 2 (two) months termination period; during this period the last Terms accepted by both Parties shall apply. Termination of the Terms under this clause does not constitute termination of the Agreement; however, following the termination of the Terms if the Parties do not reach an agreement on new data processing terms as required by applicable law within a 2 (two) months period, any Party has the right to immediately terminate the Agreement by sending a written termination notice to the other Party effective as of the day of its delivery.
Annex A
Definitions
Agreement
an agreement concluded between the Parties which incorporates the Terms by referring to them, particularly the agreement on using the Alfred System, concluded when the Company accepted the “Company Terms and Conditions for Alfred System”. GDPR
is the Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation).
Processor Services
are the services provided by Alfred Jobs to the Company under the Agreement and any related technical support which includes personal data processing.
Company
is the commercial company that has concluded the Agreement with Alfred Jobs.
Company Personal Data
is the personal data that is processed by Alfred Jobs on behalf of the Company while providing the Processor Services to the Company.
The terms „controller“, „data subject“, „personal data“, „personal data breach“, „processing“, „processor“ and „supervisory authority“
have the meaning given to them in GDPR.
Annex B
Security measures
As from the Terms effective date, Alfred Jobs will implement and maintain the security measures set out in this Annex B. Alfred Jobs may update or modify such security measures from time to time provided that such updates and modifications do not result in the degradation of the overall security of the processing.
Risk-based principle. Alfred Jobs shall periodically review the risk of information security, in connection with personal data and important activities of the Company. Fulfillment of the Alfred Jobs’ obligation to assure the data security is performed by the position of security manager, who acts within the Alfred Jobs’ management.
Organizational security. Alfred Jobs shall implement measures to secure the personal data against the human failure, in particular:
- adopting and maintaining internal regulation and documentation on the internal security;
- periodical co-workers’ training on the rules of dealing with personal data and the risk of information security;
- ensuring that all employees, contractors, suppliers and other third persons with access to personal data have committed themselves to contractual liability;
- adopting and maintaining processes relating to the work with the Alfred Jobs’ key assets, particularly with Company Personal Data.
Technical measures. Alfred Jobs shall implement appropriate technical measures to secure the personal data, particularly:
- server antivirus solution for protection against malware;
- network security solution, combining firewalls, configuration of network features and other technologies;
- encryption of data transmission in the Alfred System using HTTPS;
- secure storage of personal data in the SQL database on the server within the European Union;
- important infrastructure and data backup.
On-site security. To secure the personal data stored in written form and the IT devices, Alfred Jobs shall particularly implement:
- personal data access processes and policies;
- premises and on-site/digital repository security.
Annex C
Rules for audits
- The Company must send any requests for the audit solely to the Alfred Jobs’s email address alfred@alfred.com.mt.
- Following receipt by Alfred Jobs of a request for audit, Alfred Jobs and the Company will discuss and agree in advance on: (i) the reasonable date(s) of and security and confidentiality controls applicable to any audit; and (ii) the reasonable commencing date, scope and duration of and security and confidentiality controls applicable to any audit.
- Alfred Jobs may charge a fee (based on its reasonable costs) for any audit requested by the Company. Alfred Jobs shall provide the Company with further details of any applicable fee or the basis of its calculation, in advance of any such audit. The Company will be responsible for any fees charged by any auditor appointed by the Company to execute any such audit.
- Alfred Jobs may object in writing to an auditor appointed by the Company to conduct any audit, if the auditor is, in Alfred Jobs’s reasonable opinion, not suitably qualified or independent, a competitor of Alfred Jobs, or otherwise manifestly unsuitable. Any such objection by Alfred Jobs will require the Company to appoint another auditor or to conduct the audit itself.